Skip to content

Don't allow update_into to mutate immutable objects #8230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 7, 2023
Merged

Don't allow update_into to mutate immutable objects #8230

merged 1 commit into from
Feb 7, 2023

Conversation

@alex
Copy link
Member

@alex alex commented Feb 7, 2023

No description provided.

@reaperhulk reaperhulk enabled auto-merge (squash) February 7, 2023 16:25
@reaperhulk reaperhulk merged commit 9fbf84e into pyca:main Feb 7, 2023
@alex alex deleted the dont-mutate-me-bro branch February 7, 2023 16:35
reaperhulk pushed a commit to reaperhulk/cryptography that referenced this pull request Feb 7, 2023
@alex @reaperhulk
Don't allow update_into to mutate immutable objects (pyca#8230)
b35ad89
alex added a commit that referenced this pull request Feb 7, 2023
@reaperhulk @alex
changelog + security fix backport (#8231)
d6951dc 
* Don't allow update_into to mutate immutable objects (#8230)

* add changelog for 39.0.1

* oops

* bump versions

* remove circle

---------

Co-authored-by: Alex Gaynor <[email protected]>
@zhuofeng6
Copy link

zhuofeng6 commented Feb 17, 2023

Does this involve interface changes?

@reaperhulk
Copy link
Member

reaperhulk commented Feb 17, 2023

It behaves exactly the same unless you were passing an immutable type (e.g. a byte string). So the interface has technically changed but in practice it has only changed for the vulnerable path.

@zhuofeng6
Copy link

zhuofeng6 commented Feb 17, 2023

In this case, change the buf class type from bytes to bytearray. it is OK?

it can't use the bytes type anymore.

def update_into(self, data: bytes, buf: bytes) -> int:

@zhuofeng6
Copy link

zhuofeng6 commented Feb 17, 2023

I'm not sure what the effect of this vulnerability is.

@reaperhulk
Copy link
Member

reaperhulk commented Feb 17, 2023

Unfortunately the Python type hint system doesn’t have a way to represent “all objects that implement the buffer protocol but only the mutable types”, so bytes is still the closest to “correct” type that we can declare.

@zhuofeng6
Copy link

zhuofeng6 commented Feb 21, 2023

What is the impact of this cve? I don't seem to feel the threat of this vulnerability.

icanhasmath added a commit to ActiveState/cryptography that referenced this pull request Jan 18, 2024
@icanhasmath
Cherry-pick fix for CVE-2023-23931 from (pyca#8230)
6b20296 
Don't allow update_into to mutate immutable objects pyca#8230
pyca#8230
icanhasmath added a commit to ActiveState/cryptography that referenced this pull request Jan 18, 2024
@icanhasmath
Cherry-pick fix for CVE-2023-23931 from (pyca#8230)
9626647 
Don't allow update_into to mutate immutable objects pyca#8230
pyca#8230
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reaperhulk reaperhulk reaperhulk approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alex @zhuofeng6 @reaperhulk